QUESTIONS AND ANSWERS GRADED A+
✔✔Vault Encryption Keys - ✔✔Operator Key
Master Key
✔✔Operator Key - ✔✔Vault encryption key used for runtime encryption tasks
✔✔Master Key - ✔✔Vault encryption key used for recovery operations
✔✔Principles of Protecting Sensitive Accounts and Encryption Keys - ✔✔1. Use the
Microsoft Windows Password Reset Disk utility prior to installing the vault, and store the
Local Admin account password in a physical safe on a USB drive
2. Store the Master Password separately from the Master Key and each should be
assigned to different entities within an organization
3. Store the Master Key and Password in a physical safe
4. Do not store the Operator Key on the same media as the data (use an HSM)
✔✔Principles of Using Secure Protocols - ✔✔1. HTTPs for the PVWA
2. LDAPs for Vault-LDAP integration and CPM Windows scans
3. RDP/TLS for connections to the PSM and from PSM to target machines
4. SSH (instead of telnet) for password management
✔✔Principles for Monitoring Logs for Irregularities - ✔✔1. Aggregate CyberArk logs
within your SIEM
2. Monitor and alert upon excessive authentication failures, logins to the Vault server
OS, and logins as Admin or Master
3. Consider implementing PTA
✔✔Is it ok to join the Digital Vault to an Active Directory Domain? - ✔✔No. It can lead to
the following: pass-the-hash attack, golden ticket attack, malicious or accidental
changes in domain GPO, attacks through open firewall ports, increased operational risk
due to enablement of unnecessary services.
✔✔Why does CyberArk prohibit the installation of anti-virus and other agents on the
Digital Vault? - ✔✔Vulnerability due to opened firewall ports.
✔✔Why should you store the Operator Key on the HSM? - ✔✔If the Server Key is
stored on the local file system of the Digital Vault, it puts the system at risk. If an
attacker were to gain access to the operating system, Server Key, and encrypted data,
it would be possible for the attacker to reverse engineer the encryption process and
gain access to Digital Vault data.
✔✔CyberArk Proprietary Protocol or VPN Port - ✔✔TCP1858
,✔✔What percentage of encryption processes occur on the client side? - ✔✔95%
✔✔Supported Authentication Methods - ✔✔CyberArk (Vault auth)
LDAP
RADIUS
Windows
PKI Auth
RSA SecurID
Amazon Cognito
SAML
Google Auth
Oracle SSO
✔✔Supported Encryption Methods - ✔✔AES-256/AES0128
RSA-2048/RSA-1024
3DES
SHA-256
✔✔Installation Package Consists of: - ✔✔Two copies of Operator CD
Two copies of the Master CD
License Agreement
✔✔Operator CD contains: - ✔✔Server Key
Recovery Public Key
✔✔Master CD contains: - ✔✔Recovery Private Key
✔✔Which CD is needed for Vault installation? - ✔✔Operator CD
✔✔When is the Master CD used? - ✔✔Emergency situations
✔✔These items need to be copied to the Vault Server before hardening: - ✔✔CyberArk
Server and Client Installation software
Operator CD
CyberArk License File
Digital Certificates installed for LDAP integration
✔✔Vault Installation Pre-Requisites - ✔✔Remove unnecessary network components
Eliminate DNS entries
Disable WINS
✔✔Distributes Vaults Internal Communication Platform - ✔✔RabbitMQ
✔✔CyberArk Vault Services - ✔✔CyberArk Event Notification Engine
CyberArk Hardened Windows Firewall
,CyberArk Logic Container
PrivateArk Database
PrivateArk Remote Control Agent
PrivateArk Server
✔✔Vault Main Configuration Files Folder Location - ✔✔PrivateArk\Server\Conf
✔✔Vault Configuration Files - ✔✔dbparm.ini
license.xml
paragent.ini
passparm.ini
tsparm.ini
✔✔Vault Log Files Folder Location - ✔✔PrivateArk\Server\Logs
✔✔Default Vault Safes - ✔✔Notification Engine, System, Vault Internal
✔✔Vault Configuration Files Safe - ✔✔System Safe (includes the italog.log)
✔✔When do you install HSM software? - ✔✔BEFORE installing CyberArk
✔✔What are the steps for integrating the HSM once the Vault is installed? - ✔✔1. Open
FW port to HSM in dbparm.ini
2. Configure HSM in dbparm.ini
3. Enroll the Vault in the HSM server
4. Encrypt PIN code for HSM connectivity
5. Load existing Server Key to HSM
6. Point dbparm.ini to Server Key on HSM
7. Restart the Vault
8. Generate a new server key on HSM
- Insert Master CD
- Run ChangeServerKeys
9. Point dbparm.ini to the NEW key in HSM
10. Restart the Vault
✔✔True or False: All encryption is processed by the Digital Vault Server? - ✔✔False -
95% of encryption happens on the client side
✔✔True or False: The Windows firewall on the Digital Vault server is managed by the
Vault, therefore all firewall rules must be defined in the main configuration file,
dbparm.ini. - ✔✔True
✔✔True or False: The ITALog.log is the Vault's primary log file. It can be found in the
\PrivateArk\Server directory. - ✔✔False - It can be found in the \PrivateArk\Server\Logs
folder.
, ✔✔True or False: CyberArk does not support MAC or DAC, only RBAC. - ✔✔False - It
supports all three.
RBAC = granular entitlements
DAC = enabling creation of custom roles
MAC = Limit where and when users and components can authenticate to the vault.
✔✔Installation Order - ✔✔Vault
PVWA
CPM
PSM
PSMP
Vault Backup & Disaster Recovery
✔✔PVWA Installation Log Files - ✔✔PVWAInstall.log
PVWAInstallEnv.log
✔✔PVWA Installation Log Files Location -
✔✔C:\Users\Administrator\AppData\Local\Temp
✔✔PVWA Safes - ✔✔PVWAConfig
PVWAProvateUserPrefs
PVWAPublicData
PVWAReports
PVWATaskDefinitions
PVWATicketingSystem
PVWAUserPrefs
✔✔PVWAConfig Safe - ✔✔Contains all the configuration settings for the Password
Vault Web Access
✔✔PVWAPrivateUserPrefs Safe - ✔✔Contains the user preference settings for the
Password Vault Web Access interface
✔✔Which PVWA safes should not be accessed directly? - ✔✔PVWAConfig &
PVWAPrivateUserPrefs
✔✔PVWAReports Safe - ✔✔Used for internal processes related to generating reports
✔✔Where is the Policies.xml file located, and what does it contain? - ✔✔It is located in
the PVWAConfig safe, and it contains the "UI & Workflow" settings for all platforms.
✔✔PVWA Vault Users and Groups - ✔✔PVWAppUser
PVWAGWUser